On November 25th, my team has announced the release for Christmas of Obfuscator-LLVM, an open-source obfuscation tool based on the LLVM compilation suite. Why Christmas? Because version 3.4 of LLVM was planned to be released on the 23rd of December, and we wished to port our code to the latest version of the compiler before publishing it.
On December 18th, I have been privately contacted by pod2g, a French security researcher active in the Apple jailbreaking scene, kindly asking me whether his team, the evad3rs, could get an early access to our tool. Without thinking too much about the possible consequences, and naively seeing it as an easy way to get some publicity for our research project, my collaborators and I have accepted to send them the source code of Obfuscator-LLVM one week earlier than the planned release. In exchange, we only asked to be credited on their website; I would like to clearly state that we never spoke about financial compensation, or about any other kind of reward.
The evasi0n jailbreak was released on December 23rd, taking the jailbreak community by surprise, and instantly generating a controversy. Indeed, the jailbreaking software arrived bundled with a Chinese app store apparently delivering pirated apps and/or malware.
Providing a version of Obfuscator-LLVM to the evad3rs one week in advance on our planned release was a mistake, and we regret this turn of events, as our academic research project is now somehow linked to the murkier side of ITsec.
But more importantly, this controversy raises deep questions about the release of “dual-use” academic tools. Obfuscation techniques, i.e. software techniques aiming at increasing the cost of reverse-engineering, have in practice been so far used by malware writers as well as in the domain of Digital Right Management. Although there has been academic research on the subject for more than a decade, only a handful of tools are freely available as open-source software, and few of them are able to obfuscate C/C++/Objective-C code in an effective way (Kryptonite being an example). Moreover, I am aware of only a handful of vendors selling commercial tools of this kind; those include Arxan, Whitecryption or Morpher, and their products are expensive.
With that said, is it ethical to release a tool like Obfuscator-LLVM?
Our feeling is that publishing an open-source C/C++ obfuscating tool makes sense for several reasons:
- While it is a “dual-use” tool, I see no reason why obfuscation and software protection tools should be in a different position than, say, encryption tools, fuzzers, network scanners, exploitation frameworks or butcher knives. All of them can be used with ethical goals in mind, or with malicious intents. Even jailbreaking software can be used as much to install pirated software on an device, as by authorities for forensic purposes or pen-testers for auditing goals.
- The fact that Obfuscator-LLVM will be open-source will make it easier to audit its code base, ensuring that it is backdoor-insertion free.
- With an available open-source obfuscating tool, academic security researchers will have access to a free tool when studying and designing new automated de-obfuscation engines and reverse-engineering processes aiming at helping malware analysts.
- Code obfuscation can also bring lesser-known security benefits for our digital ecosystem as a by-product. For instance, obfuscation brings software diversity, since an obfuscation process can typically be heavily randomized. This can be considered as a first defense against mass software attacks.
Those considerations are only preliminary. My team still plans to release Obfuscator-LLVM in the coming days. I hope that this blog post will contribute in clarifying our intentions with regard to the goals of Obfuscator-LLVM.
In the meanwhile, Merry Christmas to everybody!